Technical and Organizational
Security Measures

Introduction 

This document outlines the technical and organizational measures implemented by Bito to ensure the security and integrity of data processed within our systems. These measures are designed to protect against unauthorized access, data breaches, and other security threats.

1. Access Controls

Effective access control mechanisms are critical to ensure that only authorized personnel can access sensitive data and systems. Bito implements the following access control measures:

1.1 Authentication

• Multi-Factor Authentication (MFA):
  • MFA is required for all administrative access to systems and applications.
  • Users must provide at least two forms of verification (e.g., password and a one-time code sent to their mobile device).
• Strong Password Policies:
  • Passwords must meet complexity requirements (minimum length, use of uppercase and lowercase letters, numbers, and special characters).
  • Account lockout mechanisms are in place after a specified number of failed login attempts.

1.2 Authorization

• Role-Based Access Control (RBAC):
  • Access to systems and data is granted based on the user’s role within the organization.
  • Roles are defined based on the principle of least privilege, ensuring users have only the access necessary to perform their job functions.
  • Regular reviews of role assignments to ensure they are current and appropriate.
  • Administrator access to the production systems is granted based on job roles and responsibilities and limited to authorized personnel
• Access Approval Process:
  • Requests for access to sensitive data or systems must be approved by the appropriate manager or data owner.
  • Access changes (grants, modifications, revocations) are documented and audited.

1.3 User Provisioning and De-provisioning

• Onboarding Process:
  • New employees are provided with access based on their role and responsibilities.
  • A standardized onboarding checklist ensures all required access is granted systematically.
• Offboarding Process:
  • Access for departing employees is revoked immediately upon termination or resignation.
  • A standardized offboarding checklist ensures all access rights are removed systematically.
• Periodic Access Reviews:
  • Periodic reviews (e.g., quarterly) of user access levels to ensure compliance with the principle of least privilege.
  • Any unnecessary or outdated access rights are revoked.

2. Compliance, Governance and Risk Management

Bito performs annual security operational risk assessments of production applications and services. Results from risk assessment activities are documented in a risk register and prioritized for treatment based on risk level. We also perform risk-based continuous control monitoring throughout the year by performing control testing using a formal methodology. The testing results are documented and reviewed by management, including remediation plans for identified observations.

3. Systems Security

3.1 Application & Infrastructure Security

Infrastructure management and configuration management tools are used for security hardening and to ensure baseline configuration standards have been established for production servers

3.2 Separation of Environments

Bito production and non-production environments are hosted on different clouds with different network segregation in place. We also maintain strict firewall rules to achieve this separation. We do not utilize or share data among these environments. Non-production is only utilized for development or testing purposes.

3.3 Monitoring and Alerting

Bito employs a continuous monitoring system to oversee the health and performance of various microservices. We also utilize a centralized log management system for the collection, storage, and analysis of log data in our production environment. This information is used by our developers for health monitoring, troubleshooting, and security purposes, including intrusion detection. Automated alerts are in place to ensure awareness and maintain platform uptime. Production log data is retained for 10 days.

3.4 Threat and Vulnerability Management

Bito conducts scoped vulnerability scans against the application code to identify threats and assess their potential impact to the system using own code review agent (CRA). Results are evaluated and remediated according to severity level post approval from various stakeholders.

3.5 Encryption

Bito encrypts data at rest on the storage backend using the Server-Side Encryption (SSE) mechanism provided by AWS S3 and employs EBS encryption for server storage. Although data in transit is not encrypted, it is transmitted over a secure communication channel via the HTTPS protocol for interactions with various endpoints within the infrastructure and over the internet.

4. Incident Response and Communications

4.1 Security Incident Response Plan

In an event where Bito platform becomes aware of a Data Breach or other security incident, Bito will follow the Security Incident Response Plan, which includes:

1. Notify Customer without undue delay after Bito becomes aware of the Data Breach
2. As part of the notification, provide the Customer with information regarding the Data Breach, to the extent such information is available to Bito, to enable Customer to comply with its notification requirements under the Applicable Data Protection Laws.
3. Promptly commence an investigation into the Data Breach and take appropriate remedial steps to prevent and minimize any probable harm. For the avoidance of doubt, Data Breaches will not include unsuccessful attempts to, or activities that do not compromise the security of Personal Data.
4. These obligations shall not apply to incidents caused by the Customer or their users.
5. To the extent possible, we will subsequently update with information regarding evaluation of the root cause, potential impact, remediation actions taken, and actions planned to prevent a future similar event.

The Security Incident Response Plan is reviewed, updated, and tested annually, including a security tabletop exercise at least once per year.

5. Contingency Planning

5.1. High Availability and Failover.

All the services in Bito infrastructure are deployed as a multiple replica set approach that provides automatic failover in the event of a failure across multiple availability zones within a region.

5.2 Backups

All the backups that are stored in S3 bucket are encrypted at rest via Amazon server-side encryption. Access to these backups is given on a request basis with proper approval through secure channels from dedicated stakeholders/managers.

5.3 Business Continuity and Disaster Recovery

In case of disaster where our service becomes unavailable, the service will return an error and the git hook will stop working. In such scenarios we will notify the customer as soon as we identify the issue. We are setting up a BCP and DRP and another AWS region to handle such scenarios. Our RTO is currently 12 hours and RPO is 24 hours.

6. Security Awareness Training Programs

Bito team members complete security awareness training upon hire and annually thereafter. The training includes relevant Bito security policies, instructions for reporting security incidents and general industry security best practices. Compliance checks are tracked, and notifications are sent to employees who fail to complete the training on time.

7. Additional Considerations

The Bito application is designed to allow customers to delete their own data when no longer needed.

AWS (for Bito.ai) is responsible for implementing controls to manage physical and logical access to the servers and supporting infrastructure, underlying network and virtualization management software for its cloud hosting services where Bito processing systems reside.

Customers may choose to implement technical and organizational measures related to customer-owned data.